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Abstract 

These  sets  of  notes  are  somewhat  fleshed  out  version  of  the  Sec- 
tion 1.2.  of  Lovasz's  Book  "An  Algorithmic  Theory  of  Numbers, 
Graphs  and  Convexity.'"  Both  Cassel's  and  Lekkerkerker's  books 
are  excellent  texts  on  Geometry  of  Numbers.  However,  we  need 
only  a  small  portion  of  these  books,  and  we  develop  the  materials 
ab  initio. 
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1      Geometry  of  Numbers 

The  subject  of  ^''geometry  of  numbers^  was  developed  by  Minkowski  around 
the  turn  of  the  century.  This  has  been  a  classical  tool  in  subjects  such  as 
integral  quadratic  forms ,  diophantine  approximations.  However,  it  occupied 
its  renewed  role  as  a  powerful  tool  in  Computer  Science,  after  H.W.  Lenstra 
used  it  to  give  a  polynomial  time  algorithm  for  the  Integer  Programming 
(Feasibility)  Problem  for  fixed  number  of  variables.  Since  then  it  has  been 
used  to  give  efficient  algorithms  in  as  diverse  areas  as  simultaneous  diophan- 
tine approximations,  cryptography,  solvability  by  radicals,  low  density  subset 
sum  problem,  computing  with  algebraic  numbers,  factorization  of  polynomi- 
als over  finite  fields. 

The  main  approach  common  to  all  the  algorithms  involves  reformulating 
the  initial  problem  as  a  geometrical  problem  concerning  lattices  of  points. 
The  geometric  insights  gained  by  such  representations  is  a  powerful  aid  to 
thinking  about  both  classical  and  algorithmic  problems. 

Definition  1.1  [Lattice] 

Let  ci,  a2,  . . .,  On  G  IR"  be  a  set  of  linearly  independent  vectors  in  IR".  Let 

A  be  an  n  X  n  matrix  with  columns  oi,  02,  . . .,  a„, 

A  -  {ai,a2,...,an). 

The  lattice  generated  by  A  {by  ai,  a2,  .  ■ .,  a^)  is  defined  to  be 

A  =  A{A)  =  7Lai  +  7La2  +  ---  +  TLa^  =  {AjCi  +  AjCj  +  •  •  •  A„a„  |  A,  G  ZZ}, 

i.e.,  integer  linear  combinations  of  the  vectors  gi,  02,  . . .,  a^. 

We  say  that  ax,  a^,  . . .,  a^  is  a  basis  of  the  lattice  A(ai,  02, . . .  ,a„),  and 
A  is  its  basis  matrix.  We  say  n  is  the  dimension  of  the  lattice  A.        D 

The  same  lattice  A  may  have  many  bases,  but  they  are  related  to  one 
another. 

Definition  1.2  A  square  matrix  U  is  called  unimodular,  if 

dett/  =  ±l.      D 

Theorem  1.1  Let  Ai  =  A(Ai)  and  A2  =  A(/l2)  be  two  n-dimensional  lat- 
tices, with  basis  matrices  Ai  and  A2,  respectively.  Then  Ai  =  A2,  if  and 
only  if  there  exists  an  integer  unimodular  matrix  U,  such  that 

Ai  =  A2U. 
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PROOF. 

{=>)  Assume  Aj  =  A2.  Then  the  column  vectors  of  A2  are  integer  linear 
combinations  of  the  column  vectors  of  Ai,  and  vice  versa.  Hence  there  are 
integer  matrices  Ui  and  U2  such  that 

A2  —  A\Ui,     and     Ai  =  A2U2- 

Hence 

A^  =  AiUiU2. 

Since  A\  is  of  full  rank, 

where  /„  is  the  n  X  n  identity  matrix.  This  implies 

det  Ui  det  C/2  =  1 ,     and     det  Ui ,  det  U2  G  Z; 
from  which  we  conclude  that 

|detC/i|  =  1  =  |detf/2|. 

The  matrices  U\  and  U2  are  integer  unimodular  matrices. 

(<=)     Assume  that  there  is  an  integer  unimodular  matrix  U  such  that 

A2^AiU. 

Then 


and 

deti/-^ 


1, 


I  det  1^1 
i.e.  U~^  is  an  integer  unimodular  matrix.  Furthermore, 

Ai  =  A2U-\ 

Hence  the  column  vectors  of  A2  are  integer  linear  combinations  of  the 
column  vectors  of  Ai,  and  rice  versa.  Thus  Ai  =  Aj.      D 

The  transformation  corresponding  to  the  integer  unimodular  matrix,  is 
called  an  integer  unimodular  transformation.  Following  three  transforma- 
tions can  be  easily  shown  to  be  integer  unimodular: 
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(A)  Multiply  some  basis  vector  by  —1. 

(B)  Add  an  integer  multiple  of  a  basis  vector  to  another. 

(C)  Permute  two  basis  vectors. 

It  is  possible  that  the  same  lattice  A  may  have  two  distinct  bases  Ai  and 
A2:,  however,  they  are  related  by  an  integer  unimodular  matrix  U, 

A2  =  A^U; 

and  thus  all  the  basis  matrices  have  the  same  determinant  (up  to  their  signs), 
the  absolute  value  of  which  is  a  characteristic  of  the  lattice  A. 

Definition  1.3  [Determinant  of  a  Lattice] 

Let  A{A)  be  a  lattice  with  ba^is  matrix  A.  The  number 

detA  =  Vdet  A'^A  =  \detA\ 

is  called  the  determinant  of  the  lattice.      D 

Geometrically,  the  determinant  of  the  lattice  is  the  common  n-volume  of 
those  j>arallelohedra  whose  vertices  are  lattice  points  and  which  contain  no 
other  lattice  point;  equivalently,  n-volume  of  those  parallelohedra  spanned 
by  bases. 

Definition  1.4  [Dual  Lattice] 

Every  lattice  A  has  a  dual  lattice,  called  A*, 

A*  =  {i  G  IR"  I  y'^x  e  TL  for  every  y  G  A}.      D 

K  (cj,  £125  •  •  M  On)  is  a  basis  of  A  then  the  vectors  aj,  02,  . . .,  a*  defined 

by 

form  a  basis  for  the  dual  lattice,  called  the  dual  basis  of  (cj,  02,  .. .,  On)- 
That  is 

A-'^A  =  /„. 

Moreover,  we  have  the  following  properties: 
(A)  A"  =  A. 
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(B)  (detA')(detA)  =  1,  i.e., 


det  A*  = 


1 


det  A 


(C)  If  Ai  and  Aj  are  two  lattices  then 

{Ai  n  A^y  =  A'l  +  A'i,     and     (Ai  +  Aj)' =  A*  n  A^ 

2      Gram-Schmidt  Orthogonalization 

Let  (6i,  62,  ••■,  ^Ti)  be  a  (vector  space)  basis  of  IR".  Then  an  orthogonal 
basis  (61,  621  •  •  •,  ^^)  of  IR"  can  be  found  by  the  following  simple  procedure, 
known  as  Gram-Schmidt  Orthogonalization: 


Procedure  GRAM-SCHMIDT; 

Input:  (61 ,  . . .,  6„):  Basis  e  IR" 
Output:  {b^,  .. .,  fc;):  Basis  6  IR"  such  that 
the  6*'s  are  mutually  orthogonal; 


begin 


b':=bi; 

for  i  :=  2  to  n  loop 


6-:=  6.-^ 


'(fc..fc;) 


end{loop  } 
tndiGRAM-SCEMIDT}.      D 


We  have  used  the  notation  (6,, 6j)  to  denote  the  vector  dot  product  of 
two  vectors  6,  and  bj. 
Hence,  we  see  that 

(A)  Each  6,  can  be  written  in  terms  of  6*'s  as  follows: 


where 


^^i.j  =  \ 


0, 
1, 


if  i  <  j; 
if  t  =  j; 


[(^■'^•) 


77.     if  »■  >  j- 
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Hence, 

B  =  B'M'^, 

where  Af  is  an  n  X  n  lower  triangular  matrix  with  the  (i,  j)*^  entry, 
fiij,  and  B  and  B*  are  the  nxn  matrices  with  the  column  vectors  6,'s 
and  6*'s,  respectively.  Note  that 

detB'^B  =  det  MiB')'^B'M^  =  det{B'fB', 

since 

n 

detJW  =  Y[fii,i  =  1. 

(B)  Since  the  column  vectors  of  B*  are  mutually  orthogonal, 

{B')^B'  =  diag  {{6-, 6-)},  =  diag  {||6n|'}^, 

and 

det  iB'fB'  =  f[\\b:\\\ 

(C)  From  (A),  we  know  that 

Since  6*'s  are  mutually  orthogonal. 

Hence  we  obtain  the  following  inequality,  known  as  Hadamard's  In- 
equality: 


detB^B  =  deiiB*fB'  =  JJ  ||6*|p  <  J]  ll^ll'- 

i=i  t=i 

Equivalently, 

|detB|<ni|6.||. 
t=i 

Geometrically,  this  can  be  interpreted  to  mean  that  the  n-volume  of 
the  parallelohedra  spanned  by  the  basis  vectors  is  always  bounded  from 
above  by  the  product  of  the  Euclidean  lengths  of  the  basis  vectors. 
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(D)  Let  (61,  62,  ...,  6„)  be  a  basis  of  IR".     Let  us  denote  by  6,(j)  the 
component  of  6,  orthogonal  to  the  linear  subspace  spanned  by  the  first 
j  —  1  vectors  61,  62,  ••  ■>  ^j-i- 
Observe  that 

(a)  IS  i  <  j  then  6,  6  span  (bi,  62,  •  ■  -,  ^;-i),  and  thus,  6,(j)  =  0  and 
^^.,:  =  0. 

(b)  U  i  =  j  then  6,(:)  is  the  component  of  6,  orthogonad  to  the 
span (61,  62,  ...,  6i_i)  =  span(6i,  b^,  ...,  6*_j),  and  thus, 
6,(i)  =  b'  and  /i,-,-  =  1. 

(c)  If  i  >  j  then 

i-i 

i  J-1 

fc=l  k=l 


and 


ll^.(i)ll 


t+i 


Hence, 

^•+i(0  =  ^l^i+i,kbk{k)  =  6,+i(i+l)-|-/i,-t-i,,-6,(0  -  b'^^+fii+i^ib*. 

k=, 

(E)  Let  (oi,  02,  . . .,  Cn)  be  a  basis  of  an  n-dimensionaJ  lattice  A,  and  (a', 
Cj,  . . .,  a^)  be  a  Gram-Schmidt  Orthogonalization  of  the  ba^is. 

Let  ^1  be  the  Euclidean  length  of  a  shortest  non-zero  lattice  vector  61. 
Then 

n 

61     =     ^  A,a,- 

n  /  i-1 

=       H  '^.       «*  +  Z!  ^^iJ'^'j 

.=1  \  j=l 

n  n     i— 1 

i=i  1=1 j=i 
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Hence, 

||6i|p>i:|A.n|a:|p>rnunJK||V. 
t=i  — 

Or, 

min  IKil  <  6.  (1) 

l<t<n 

As  an  immediate  corollary  of  Hadamard's  inequality,  we  see  that 
Proposition  2.1   Let  A  be  an  n- dimensional  lattice  with  the  basis  matrix 

A  =  (ai,a2,  ...,an). 

Then 

llaill  ||a2||---||an||>detA. 

The  equality  in  the  above  proposition  can  be  guaranteed,  if  and  only  if 
the  basis  vectors  (ai,  02,  ...,  fln)  a^re  mutually  orthogonal.  If  the  mutual 
orthogonality  of  the  basis  vectors  is  used  as  a  measure  of  their  goodness,  we 
would  like  to  answer  the  question  of  how  good  a  basis  can  be  found  for  a 
particular  lattice  A. 

To  that  effect,  let  us  define  the  ratio 

c       ||ai||||a2||---|K|| 


detA 

to  be  the  orthogonality  defect  of  the  basis.    We  know  that  6  >   1.    The 
question  is  how  small  a  6  can  we  achieve  for  a  particular  lattice  A. 

A  closely  related  problem  is  that  of  finding  a  shortest  lattice  vector  of  a 
lattice  A.  Notice  that  if  t;  is  a  shortest  vector  in  the  lattice  A(ai,  . . .,  Cn) 
and 

V  =  Aifli  +  •••  +  A„a„, 


_   det(ai , . . . ,  a,_i ,  v, a,+i , . . . , a„) 


det(ai, 

•  •  •  ,0'i-l,0,iiO,i+l,-  ■ 

■,an)' 

||ai||-- 

•||a,_i||  ||u||  ||a,-+il|- 

•■Kll 

then 


Hence 

'^''-  IdetAl 

Since  v  is  by  assumption  no  greater  than  any  of  the  lattice  vector,  in  par- 
ticular a, 

|;^^.|   <    IKIIII«2||---||an||    ^  ^ 

det(ai,a2 . .. ,a„) 
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Hence  a  shortest  vector  of  the  lattice  can  be  found  by  searching  among 
a  set  of  (2  [(5]  +  1)"  possible  values  for  the  A,'s. 

In  general,  if  a  lattice  A  is  presented  with  a  basis  matrix  A,  whose 
representation  requires  at  least  ^(^4)  number  of  bits,  then  we  can  only  say 
that 

6  =  2°W^)). 

This,  however,  implies  that  the  above  'generate-and-test'  algorithm  has  a 
time  complexity  of  2'^("'(^)).  This  algorithm  will  be  considered  intractable, 
and  it  has  been  conjectured  that  the  shortest  lattice  vector  problem  is  NP- 
complete.  So  far,  there  is  only  a  proof  of  NP-completeness,  if  the  length  of 
the  vectors  are  taken  to  be  their  ^oo-norms. 

Before  turning  to  the  algorithmic  problems  raised  by  the  above  discus- 
sion, let  us  first  consider  the  existence  of  a  'fairly  good'  bound  for  the  or- 
thogonality defect  and  the  length  of  a  shortest  lattice  vector. 

3      Minkowski's  Convex  Body  Theorem 

Theorem  3.1  [Minkowski's  Convex  Body  Theorem]  Let  A  be  an  n- 
dimensional  lattice  in  IR".  Let  S  be  set  in  IR",  which  is  convex  and  sym- 
metric about  the  origin,  and  has  n-volume  V(5)  (not  necessarily  bounded). 
If 

V{S)  >  2"detA, 

then  S  contains  at  least  one  non-zero  lattice  vector  u  £  A. 

PROOF. 

Define 

^5  =  {i  G  IR"  I  2x  G  S}. 
Then  it  is  easy  to  see  that 

1.  ^5  is  convex  and  centrally  symmetric,  and 

2.  V{\S)>detA. 

For  each  lattice  point  v  of  A  consider  the  body  v  +  ^S  obtained  by 
translating  j5  by  t;: 


V  +  -S  =  {  X  e  IR"  I  a;  =  r  -f  5  for  some  s  G 


\^} 


Hence  the  set  of  translates  of  |5  (one  for  each  lattice  point)  has  the  addi- 
tional property  that  some  two  of  them  must  have  a  non-empty  intersection. 
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This  follows  from  the  facts  that  the  n-volume  of  each  fundamental  parallelo- 
hedra  has  a  volume  det  A  and  that  each  of  the  replicas  of  j5  has  a  volume 
in  excess  of  det  A. 

Without  loss  of  generality,  we  may  assume  that  |5  and  v  +  ^S  are  two 
such  bodies  with  a  non-empty  intersection,  i.e.. 


3y  e  R"  such  that  y  G  (-Sj  C)  (v  +  -S 


Hence  y  G  |5,  and  y  —  v  £  j5,  (the  later,  because  y  £  v  +  i-5).  By  the 
central  symmetry  of  |5,  we  conclude  also  that  v  —  yE  \S.  By  the  convexity 
of  ^S,  we  also  know  that  ^v  (the  mid  point  of  y  and  v  -  y)  is  in  |5.  Hence, 

veS. 

But  V  was  a  lattice  point  by  choice. 

Notice  that  by  the  central  symmetry,  we  can,  in  fact,  conclude  that  both 

±ve  s.  D 

In  the  literature,  the  Minkowski's  Convex  Body  Theorem  is  stated  as 
follows.  Though  this  is  apparently  a  stronger  theorem,  the  same  proof  tech- 
nique applies  and  can  be  found  in  the  standard  text  books  on  geometry  of 
numbers. 

Theorem  3.2  [MINKOWSKI'S  Convex  Body  Theorem]  Let  A  be  an  n- 
dimensional  lattice  in  IR".  Let  S  be  set  in  IR",  which  is  convex  and  sym- 
metric about  the  origin,  and  has  n-volume  V{S)  (not  necessarily  bounded). 
Let  k  be  a  positive  natural  number.  If 

V{S)>  ^-2"detA, 

or 

V{S)  =  k2^  det  A,  and  S  is  compact, 

then  S  contains  at  least  k  pairs  of  distinct  non-zero  lattice  vectors  ±Ui,  ±U2) 
...,  ±Uk  e  A.        D 

Corollary  3.3  Let  A  be  an  n-dimensional  lattice  in  ffi."  and  let  bi  be  a 
shortest  non-zero  lattice  vector  of  A.   Then 


\\bi\\  <  v/-v^>/ditA. 
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PROOF. 

Consider  an  n-dimensional  sphere  Snir)  of  radius  r  about  the  origin.  Then 

/  n/2         \ 


r(n/2  +  i)y    ' 

and 

b  e  Sn{r)  =>  \\b\\  <  T. 

Let  us  choose  the  radius  r  large  enough  so  that  Srx{T)  contains  at  least 
one  lattice  point.  By  Minkowski's  Convex  Body  Theorem,  it  suffices  to 
satisfy  the  following  inequality: 

That  is 

r  >  (^^  ^r(n/2  +  l)-yd^rA. 

Since  T[x  +  1)  <  i^,  it  suffices  to  choose  r  =  p  with 


p  =  J  —y/nVdet  A 


in  order  to  guarantee  that  Snip)  contains  a  lattice  point. 

Hence  if  6i  is  a  shortest  non-zero  lattice  vector  then  i;  G  Sn{p)  and 


6  =  ||ti||</>=\/fv^N/ditA. 


D 


Note  that  in  the  book,  Lovasz  has  shown  that 

6  =  11^1  II  <  V^v^detA 
using  a  much  simpler  argument. 
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4      Successive  Minima  and  a  Bound  on  the   Or- 
thogonality Defect 

Definition  4.1  [SUCCESSIVE  Minima] 

Let  5  be  a  bounded  centrally  symmetric  convex  body  in  IR"  of  n-volume 
V{S).  For  each  ^  >.  0,  let  ^S  stand  for  the  following  centrally  symmetric 
convex  body 

^s  =  Ux\xe  s). 

Let  A  be  an  n-dimensional  lattice  in  IR".  The  quantity 

^k  =  iiif{^  >  0  I  ^5  contains  k  linearly  independent  vectors  from  A} 

is  called  the  k*'^  successive  minimum  of  A  with  respect  to  S  (for  k  =  1,  . . ., 
n). 

The  set  of  successive  minima  {^^  |  A;  =  1,  ...,  n}  exist  and  there  are 
n  linearly  independent  vectors  b\,  62,  ...,  b^  in  A,  corresponding  to  the 
successive  minima. 

Furthermore 

6   <  6   <  •  •  •  <  ^n.        □ 

By  Minkowski's  Convex  Body  Theorem  it  follows  that  (fi5  has  a  volume 

F(^i5)  =  ,fi"F(*^)  <2"detA. 

However  by  considering  the  whole  set  of  successive  minima  ^1,  ^2,  ■  •  ■,  ^n, 
Minkowski  could  prove  a  much  stronger  result; 

Theorem  4.1  [Minkowski's  Successive  Minima  Theorem]  Let  A  be 
an  n-dimensional  lattice  in  IR".  Let  S  be  a  bounded  set  in  IR",  which  is 
convex  and  symmetric  about  the  origin,  and  has  n-volume  V{S).  Let  ^i,  ^2) 
...,  ^„  be  the  successive  minima  of  A  with  respect  to  S.   Then 

—  det  A  <  66  •  •  •  ^nV(S)  <  2"  det  A 
n! 

D 

The  original  proof  of  the  above  theorem  due  to  Minkowski  is  rather 
lengthy.  Subsequently,  the  proof  has  been  considerably  simplified  and 
shortened  by  Davenport,  Eastermann,  Weyl  and  Pipping.    We  will  omit 
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the  proof,  since  it  can  be  found  in  Cassels  or  Lekkerkerker  [Cassels  1959], 
[Lekkerkerker  1969]. 

We  will  apply  the  above  theorem  to  obtain  a  bound  for  the  orthogonality 
defect  of  an  n-dimensional  lattice.  For  this  purpose,  it  is  sufficient  only  to 
consider  S  to  be  an  n  dimensional  unit  sphere,  5„(1).  We  refer  to  the 
successive  minima  of  A  with  .respect  to  5„(1)  as  simply  successive  minima. 
In  this  case,  the  n  linearly  independent  vectors  bi,  62?  •••>  ^n  (associated 
with  the  successive  minima)  have  the  following  additional  property: 

\M  =  ^k. 

Note  that  although  61,  62,  • .  •,  &n  are  vectors  of  the  lattice  A,  and  are  linearly 
independent,  they  may  not  form  a  basis  of  the  lattice.  However  the  following 
lemma  shows  that  there  is  a  basis  (ai,  02,  .. .,  o-n)  of  A  that  is  'quite  close' 
to  the  set  of  vectors  {61,  62,  . . .,  6„}. 

Lemma  4.2  Let  61,  62,  . ..,  bn  be  the  n  linearly  independent  vectors  associ- 
ated with  the  successive  minima  of  the  n-dimensional  lattice  A.  Then  there 
exists  a  basis  (oj,  02,  ...,  On)  of  A  such  that 


||a,||<max(l,0^,. 


PROOF  SKETCH. 


(1)     First  we  claim  that  there  is  a  basis  (ci,  C2,  . . .,  c„)  of  A  such  that 

61  =       VuCi 

62  =       t'2lCi  +  t;22C2 


bn      =      ^-'nlCl  +  Un2C2  + h  UnnCn 

for  some  integers  Vij  with  vu  /  0.     Roughly  speaking,  the  above  set  of 
equations  can  be  constructed  by  successively  building  the  basis  for  the  lattice 

Aj  =  A  n  span (61, 62,-  •-,'';)• 

We  start  with  a  basis  for  Ai,  extend  it  to  a  basis  for  A2,  and  so  on,  until  we 
have  constructed  a  basis  for  A„  =  A. 
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(2)      Solving  the  above  set  of  triangular  equations  we  obtain 


1  •'"^ 

Cj  =  — 6j  +  Y.  ^i>^' 
^JJ  .=1 


where  Aj.'s  are  real.  Let  the  notation  [x]  stand  for  x  rounded  to  the  nearest 
integer: 


1^:  -  [^]|  <  2' 


and  {i}  for  x  -  [x]. 
(3)      Let 


f  ^' 


if  \vjj\  =  1; 


j-i 


^j  ~  ^["^j"]^"     if  l%l  >  2. 


1=1 


Notice  that  Cj's  are  linear  integer  combination  of  the  Cj's,  and  in  fact  the 
transformation  is  integer  unimodular.  Hence  (cj,  02,  ...,  a^)  is  in  fact  a 
basis  of  A. 

(4)     Now  to  get  the  bounds,  we  consider  two  cases  separately: 


1.  Uj  =  bj.  Then 


lojll  =  ll^jll  =  6- 


2.  a,  =  c,  -  YXl[Xji\b,.  Then 


j-i 


—b:  +  T.{^J^}b, 


"jj 


>=i 


i  l:t(.- 


t=l 


Hence 


M\  <  f6-- 


Combining  the  above  argument,  we  get 


IojII  <  maxfl,|j^j. 


D 


Theorem  4.3  Let  A  be  an  n- dimensional  lattice.    Then  A  has  a  basis  (ai, 
02,  . . .,  a„)  such  that 


t"-'n^}'"^' 
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where  V'(S„(1))    is  the  n-dimensional  volume  of  the  n-dimensional  unit 
sphere: 

PROOF. 

Choose  the  basis  (oi,  oj,  '. . .,  a„)  of  the  lattice  as  in  the  previous  lemma. 

Then 

F(5„(l))  n  h,\\  <  :^(i  ■  ■  ■  ^.F(5„(l))  <  2n!  det  A. 

t=i  ^ 


Hence,  we  get  the  inequality 


UM^^y^SM)"'^- 


D 


The  above  theorem  shows  that  the  orthogonality  defect  of  an  n- 
dimensional  lattice  are  bounded  from  above  and  below: 

7r"/2 

Recall  that  our  discussion  from  the  previous  section  on  computing  a 
shortest  vector  in  a  lattice  implies  that  if  we  know  a  basis  of  the  lattice 
whose  orthogonality  defect  6  is  'small'  (i.e.,  bounded  by  2'^("^8"))  then  a 
shortest  vector  can  be  computed  in  time 

(2[^1  +  l)"poly(£(yl))  =  20("''8n)poiy(^(^)) 

For  a  fixed  dimension  lattice,  a  shortest  vector  of  the  lattice  can  be  computed 
in  polynomial  time. 


5      The  Reduction  Problem 

In  this  chapter  we  turn  to  the  algorithmic  problems  raised  by  the  discussion 
of  the  previous  chapter.  In  particular,  we  recall  that  every  n-dimensional 
lattice  A  has  a  basis  (6i,  62*  •  ■  •»  i'n)  such  that 

detA<||6i||||62||-.-||6„||<C„detA, 
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where  C„  is  a  constant  depending  only  on  n.  This  result  was  proven  by 
Hermite.  We  also  showed  that  it  is  possible  to  achieve  a  Cn  =  2^^"^^^^\ 
In  other  words,  for  each  n-dimensional  lattice  A  theres  exists  a  basis  whose 
orthogonality  defect  satisfy  the  following  inequalities: 

~  detA 

Hermite's  result  suggests  the  following  algorithmic  problem: 

Problem  5.1   [Basis  Reduction  Problem]. 

•  Input:     An  n-dimensional  lattice  A  =  A(5),  and  an  integer  C  >  1. 

•  Output:     A  basis  (6i,  62,  ...,  &„)  such  that 

ll6i||||62||---||6„||<CdetA. 

•  Note:  This  problem  has  a  solution  if  C  >  n";  but,  it  is  not  known  how 
to  find  such  a  basis.  The  problem  of  finding  a  basis  which  minimizes 
the  product  ||6il|  ||62||  •••  ||6n||,  is  A^P-hard. 

Hence  we  relajc  the  constrains  to  find  a  basis  for  which  the  orthogo- 
nality defect  compares  favourably  with  the  Hermite's  bound;  that  is 
we  will  consider  a  C  =  Cn  =  2*^(P°^y")  (single-exponential  in  n)  as  an 
acceptable  bound.  Note  that  this  guarantees  that,  for  a  fixed  dimen- 
sion n,  the  shortest  non-zero  lattice  vector  can  be  found  in  polynomial 
time,  with  the  dependence  on  n  still  being  single  exponential.  We  will 
call  a  basis  satisfying  the  above  bound,  a  reduced  basis  ^. 

A  related  problem  is  the  following: 
Problem  5.2   [Short  Vector  Problem]. 

•  Input:     An  n-dimensional  lattice  A  =  A(5),  and  a  number  ^  >  0. 

•  Output:     A  vector  6  G  A,  6  7^  0  such  that 

ll^ll  <  e. 


'This  definition  of  reduced  basis  is  somewhat  non-standard,  but  is  rather  clean  and 
satisfies  all  the  various  definitions  of  reduced  bases  found  in  the  literature. 
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•  Note:  K  there  is  a  polynomial  time  algorithm  for  the  Short  Vector 
Problem,  then  there  is  also  a  polynomial  time  algorithm  that  finds  a 
shortest  non-zero  vector  in  the  lattice,  by  a  binary  search  over  ^. 
We  showed  that  if  ^  >  7n  ■v/detT  then  such  a  vector  6  always  exists; 
here,  7„  >  v/ ^-  Note,  however,  that  a  lattice  A  may  contain  a  vector 
much  shorter  than  {/det  A. 

Let  7„  =  ||6||/  vdetA  denote  the  smjJIest  constant  satisfying  the  above 
inequality.  It  is  known  that 


n 

:r-  <  7n  <  „      . 
Jex  V  e'K 

It  is  widely  believed  that  the  Short  Vector  Problem  (and  hence  the 
related  search  problem:  Shortest  Vector  Problem)  is  A'^P-complete, 
though  no  such  proof  is  currently  available.  It  is  not  knowTi  either 
whether  the  weaker  problem  of  finding  a  solution  if  ^  =  a/tT  v^det  A  is 
A' P- hard. 

The  above  discussion  indicates  that  the  best  we  may  hope  for  is  a  poly- 
nomial time  algorithm  to  find  a  'reduced  basis.'  In  the  rest  of  this  chap- 
ter, we  present  Lenstra,  Lenstra  and  Lovasz's  Basis  Reduction  Algorithm 
[Lenstra  et.  al.  1982]  that  finds  a  basis  (6i,  62,  . . .,  6„)  of  a  lattice  A  satisfy- 
ing the  following  inequality: 

ll^ill  11^211  •••||6n||<2K")det  A. 

Also  we  show  that  if  61  is  the  shortest  among  the  vectors  of  the  reduced 
basis  then 

||6i||<2("-i)/''N/d;rA. 

This  indicates  that  we  have  polynomicd  time  algorithms  for  both  of  the 
problems  for  appropriately  large  C  and  ^.  In  practice,  for  many  related 
problems,  these  are  adequate  to  give  polynomial  time  algorithms. 

6      The  L^  Basis  Reduction  Algorithm 

Let  (61,  62,  ...,  6„)  be  a  basis  for  the  n-dimensional  lattice  A,  and  (6',  62, 
...,  b'^),  the  Gram-Schmidt  orthogonalization  of  the  basis.  We  also  know 
that  each  6,  can  be  written  in  terms  of  6''s  as  follows: 
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where 

r  0,  if  i  <  j; 


^.,i 


1,  iii  =  j; 

(fen  6-)       .... 


Since  the  orthogonality  defect  measures  how  orthogonal  the  basis  vectors 
are  to  each  other,  in  order  to  reduce  the  orthogonality  defect,  we  will  attempt 
to  find  a  lattice  basis  close  to  the  Gram-Schmidt  vectors.  Formally,  our  first 
attempt  is  to  find  a  basis  (6i,  b2,  ■  ■ .,  h^)  from  the  original  basis  (6i,  62,  •  •  •> 
bn)  via  a  sequence  of  unimodular  integer  transformations  such  that 

t 

where 


ro,     ifi<i; 


and 

The  basis  (61,  62,  •••,  ^n)  of  A  satisfying  the  above  condition  is  called  a 
weakly  reduced  basis. 

Assume  that  we  have  a  set  of  basis  vectors  (61,  62,  •  •  •,  ^n)  satisfying  the 
following  equations: 

h     =     b', 

bj     =     /i~I6i  +  •  •  •  +  /ijj^ifej-i  +  fej 

bi    =    ill^b*^  +  ■■■  +  MiJ^ifej-i  +  Kjb'^  +  ---  +  b' 

bn     =     /Aufei  H \- f^^-\b'-i  +  f^jb'j  ^ +  fi^.b' + h  &„, 

and  let  {i,j)  be  the  lexicographically  largest  pair  of  indices  satisfying  the 
following  conditions: 
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\f^k,i\     <     ^7  for  all  /:,/  such  that  {k  >  i)  or  (A;  =  t  A  /  >  j). 

Now,  let  m  =  [Mm]  be  the  integer  nearest  to  Jiij.  Consider  the  following 
new  basis  of  A,  (6j,  . . .,  b'-,  . . .,  b'^)  =  (6i,  . . .,  6,  —  m  •  6j,  . . .,  6„),  obtained 
by  an  integer  unimodnlar  transformation 


b[     =     6i 


bl 


b[     =     bi  —  m  ■  bj 

=     (mu  -  m-  lJ~})bl  +  ■■■+  {p~~  -  m)b'  +  /^^Tfi^j+i  +  ■••  +  &* 

=  /aTi^i  +  •  •  •  +  M^r^i^^-i  +  i^ 

Now,  let  {i\j')  be  the  lexicographically  largest  pair  of  indices  satisfying  the 
following  conditions: 

\^^,',J'\    >    2'^"^ 

\^^'k,l\     ^     9'  f°^  ^1^  ^^^  s"ch  that  (A:  >  t')  or  [k  =  i'  A  I  >  j'). 

It  is  easy  to  see  that 

(«',/)  <lex  {i,j)- 

It  is  also  easy  to  see  that  (6i,  62 >  •  •  •>  ^n)  and  {b[,  65,  . . .,  6'„)  have  the 
same  Gram-Schmidt  orthogonal! zation:  (6J,  621  --m  ^n)- 

Hence  by  repeating  above  step  at  most  {T}  many  times,  it  is  possible 
to  obtain  a  weakly  reduced  basis  (61,  62,  •••>  ''n)i  starting  from  the  original 
basis  (61,  621  •  •  •-,  bn)-  The  following  algorithm  achieves  this: 
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Procedure  WEAK-BASIS-REDUCTION; 

Input:  (fci,  . . .,  bn):  Basis  of  an  n-dimensional  lattice  A,  and 

(6J,  . .  .,_6;)  =  GRAM-SCEMIDT{bi,  . . .,  6„) 
Output:  (6i,  . . .,  6„):  A  weakly  reduced  basis  of  A; 


begin 


for  i  :=  n  down  to  2  loop 

for  j  :=  i  —  1  down  to  1  loop 


6.  :=  6.  - 


(*;.^;) 


■>>: 


end{loop  }; 
endjloop  ); 
tBd{WEAK-BASIS-REDUCTION}.      D 


The  above  discussion  can  be  summarized  in  the  following  theorem: 

Theorem  6.1  1.  Let  (6i,  62?  ••■;  K)  be  any  basis  of  an  n-dimensional 
lattice  A  and  (6*,  tj;  ■■■>  K)  be  its  Gram-Schmidt  orthogonalization. 
Then  there  is  another  basis  {bi,  62,  •  •  •,  ''n)  '"^^h  the  same  orthogonal- 
ization (6J,  62)  •••>  ^n)  ^^^^  ^^^^  if  we  write 

i 

^1=^7^^*,  (i=l,...,n) 

then  l/ITjl  <  ^  for  1  <  j  <  i  <  n. 
2.  Hence 


i-l 


<  ii^rir  +  iEii^'ii'- 


3.  A  weakly  reduced  basis  of  A  as  above  can  be  found  in  0{n'^)  arithmetic 
operations. 

Notice  that  in  the  absence  of  any  restriction  on  the  relative  sizes  of  the 
vectors  6''s,  the  weakly  reduced  basis  can  have  arbitrarily  large  orthogonal- 
ity defect.  But  if  it  is  known  a  priori,  for  instance,  that 


\bU,f>^\\m\         foraUi  =  l,, 
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then  we  know  that 

lltl-jlP  <  2^+^||i>•+l||^  foraU;  =  0,...,i-  1. 

Hence,  for  i  =  1,  . . .,  n  —  1 

iirap  <  ii^r+iii'  +  jEii^r-.ii' 

and 

lW  =  ll^tlP- 

From  which  we  conclude  that 


niiM^<2(")niiiri 


t=l  i=l 


In  other  word  the  orthogonality  defect  of  (6i,  621  •  •  -,  ^n)  is 

IMidM<2K^) 

detA 


Procedure  LIL-BASIS-REDl/CTIOiV; 

Input:  (61,  ...,  6n):  Basis  of  an  n-dimensional  lattice  A; 

Output:  {b\,  .. .,  b'„):  A  reduced  basis  of  A; 

begin 

loop 

{b\,  . . .,  b'„)  :=  GRAM-SCHMIDT{bi,  . 

.,   6n) 

(fci,  . . .,  fc„)  :=  WEAK-BASIS-REDUCTION  (fcj 

,...,  6„) 

if  for  some  J  G  {1, . . . ,  n  -  1},  \\b'^i\\^  < 

^ii6:iP 

then 

(*) 

(6i,6.+i):=(6.+i,6.) 

else 

exit  loop 

end{if} 

end{loop  }; 

tnd{LLL-BASIS-REDVCTION}.      D 
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It  is  easy  to  see  that  when  the  algorithm  terminates  with  a  set  of  vec- 
tors {b[,  ...,  b'^),  these  indeed  form  a  basis,  since  they  ar  obtained  via  a 
sequence  of  weak-bjisis-reduction  operations  and  interchange  of  two  of  the 
basis  vectors — all  integer  unimodular  transformations.  Furthermore,  at  ter- 
mination they  satisfy  the  foUowing  condition 

\W:+A'>\\W:\\\         foraUi  =  l,...,n-l, 

and  hence  they  form  a  reduced  basis. 

What  is  not  clear,  from  the  above  discussion,  is  that  the  algorithm  ter- 
minates, and  in  fact  in  polynomial  time.  For  the  sake  of  simplicity,  let  us 
assume  that  the  original  basis  vector  of  the  lattice  are  all  integer  vectors. 

To  this  end,  let  us  consider  the  foUowing  quantities: 


Vi    =     v'<iet(6i,...,6.)T(6i,...,6.) 

=     lliill--- 11^:11, 

the  z-volume  of  the  parallelohedra  spanned  by  the  vectors  hi,  .. .,  6,-. 
Let  us  define  the  weight  function 

D    =     D{bu...,bn) 

=  nii^'rir' 

<     (max||6.||)("). 


Furthermore, 


L»(6i,...,6„)>l, 


since  the  basis  vectors  are  assumed  to  be  integer  vectors. 

It  is  obvious  that  the  weak-basis-reduction  step  does  not  change  J?.  How- 
ever, if  in  any  step  6,+i  and  6,  are  swapped  changing  the  value  of  the  weight 
function  from  D  to  D'  then  we  see  that 

1.  Vi,  . . .,  V,_i,  V,+i,  . . .,  Vn  remain  uncahnged. 

2.  Vi  changes  to  a  new  value 

ydet(6i,..  .,6,_i,6,+i)T  (6i,...  ,6,_i,6,+i)  = 


Section  6  The  L^  Basis  Reduction  Algorithm  23 

where  6'^j  +  ^,^.i,,6'  =  6,+i(i)  is  the  component  of  6,+i  orthogonal  to 
span (61,  ...,  6,_i). 

Hence 

D  yjdet{bu  . . .  ,b,-i,b,)'^{bi, . . .  ,b,^i,b,) 


^'  ^det{bi,...,b,-i,b.+iyibu...,bi-i,b,+i) 


|6*|P  \^ 


> 


116-1 


|2  \  2 


_2_ 


(2) 


Hence,  the  number  of  swap  operations  in  the  LLL-Basis-Reduction  is 
bounded  by  a  number  p,  where  p  satisfy  the  following  inequalities: 

l<D{b[,...X)<  ('^y^(6i,...,6„)<  |'^y(max||6.||)(^). 
Hence,  we  obtain  the  following  bound  on  p 


P    <     (2jlog2/^m^ax|i6.| 


=     0{nH{B)). 

Since  each  loop  performs  0{n^)  arithmetic  operations  in  weak-basis- 
reduction  and  O(n^)  time  in  Gram-Schmidt  orthogonalization,  the  time 
complexity  of  the  algorithm  is 

T^thinJiB))  =  0(n'iiB)). 

We  summarize  the  above  results  in  the  following  theorem: 

Theorem  6.2        1.   Given  a  non-singular  matrix  B  =  (61,  62,  ...,  6„)  G 
Q">'",  a  reduced  basis  {b[,  b'^,  ...,  6^)  0/ A  =  A(5)  can  be  found  in 
•     polynomial  time,  such  that 

ll«''il|---|Kll<2H")detA. 
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2.  Let  b[  be  the  shortest  among  the  vectors  b[,  b'2,  ...  6^.   Then 


(a)  \\b[\\  <  2("-i)/^N/dirA,  and 

(b)  ||6;||<2("-i)/26. 

Hence  a  short  non-zero  vector  of  the  lattice  can  be  found  in  polynomial 
time. 
PROOF. 

1.  This  follows  from  the  previous  discussion. 
2. 

\\K'\?     >    2'-'\\b['f  =  2'-^\\b[f. 

||6'j||2"       <       2"("-^)/2-Q||^|,||2 

=    2(")(detA)2. 

Hence 

||6;||  <2("-i)/''>/ditA. 

The  second  inequality  follows  from  the  following  two  facts: 
•  For  each  i  =  1,  . . .,  n, 

\\b':f>2'-'m\\\ 


I.e. 


In  other  words. 


•  By  equation  1, 


\b[\\'     <     mm{T-'\\b':f} 
t 

<     2"-^min|16'*|P. 


||6i|l<2("-^)/2min||6n|. 
min||6n|<6. 


D 
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Remark  6.1  Recall  that  b,{j)  had  been  defined  previously  to  denote  the 
component  of  6,  orthogonal  to  the  linear  space  spanned  by  the  first  j  —  1 
vectors  bi,  62,  •  •  ■>  f>j-i-  As  a  result,  the  condition 

can  be  shown  to  be  implied  by  the  weaker  condition 

IIMOIP  <  ^ll^+i(OlP, 

since 

<  ^iit:+iii'  +  ^ii^:ii'- 

Hence,    the   if  -condition    (marked    by   the    (*))    in    the    LLL-BASIS- 
REDUCTION-z.\gonihm  can  be  replaced  by  the  following, 


if  for  some  f  £  {1, .  .  . ,  n  -  1},  ||6.(i)||2  >  -||6i+i(t)|p    then 


Also  notice  that,  for  this  modified  algorithm  the  complexity  analysis 
remains  unchanged,  since  the  equation  2  holds  with 


D_ 
D' 


ll^'.(OII 


> 


73- 


We  note  that  the  standard  definition  of  a  Reduced  Basis  (i^-Reduced 
Basis)  is  based  on  this  modified  algorithm: 

Definition  6.2  A  basis  (61,  62,  . . .,  6„)  of  a  lattice  A  is  called  reduced  if  it 
is  weakly  rdeuced  and 


IIMOII'  <  311^+1(011'     forl<:<n. 
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Remark  6.3  The    algorithms     WEAK-BASIS-REDUCTION    and    LLL- 
BASIS-REDUCTION  are  usually  combined  into  the  following  algorithm: 


Procedure  LLL-BASIS-REDUCTION; 

Input:  (6i,  ...,  b„):  Beisis  of  an  n-dimensional  lattice  A; 
Output:  {b[,  . . .,  6^):  A  reduced  basis  of  A; 


begin 
i  :=  1 
while  i  <  n  loop 

(6*,  .. .,  6;)  :=  GRAM-SCEMIDT{hi, 

bi+i  :=  6i+i  -  [/^i+i.i]  •  bi 

'UHi)\?  >  l\\b,+i{i)\?    then 
{bi,bi+i)  :=  (6,+i,6j) 
if  i  >  1    then  f  :=  i  -  1  end{if  } 

elsif||6.(0lP<|l|fc.+i(0lP    then 
for  j  :=  I  —  1  down  to  1  loop 

bi+i  ■■=  6.+1  -  [Pi+ij]    bj 
end{loop  } 
i  :=  t  +  1 
end{if  } 
end{loop  } 
tnd{LLL-BASIS-REDUCTION}.      D 


bn) 


In  the  above  algorithm  fij^k  denotes 

(blK) 

The  correctness  of  the  above  algorithm  follows  from  the  fact  that  the 
following  loop  invariant  is  satisfied  by  the  main  loop: 
For  each  i  {I  <  i  <  n), 

\Hk\     ^     2'     for  1  <  fc  <  J  <  i, 
\MJ)f     <     l\\bjMm\     ioTl<j<i. 

The  above  algorithm  is  the  usual  LLL-BASIS-REDUCTION  algorithm 
found  in  the  literature,  and  is  somewhat  more  efficient  (only  in  terms  of  the 
constants)  than  the  algorithm  previously  presented. 
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Remark  6.4  By  keeping  track  of  the  Gram -Schmidt  orthogonalizations, 
the  time  complexity  of  the  previous  algorithm  can  be  improved  to 

T^ihinJiB))  =  0{n^)  +  OinU{B))  =  OinH{B)). 

In  order  to  achieve  this  time  complexity,  we  only  orthogonalize  the  initiaJ 
6j's  and  then  keep  track  of  the  scalars  ||6*|P  and  /ij/t,  updating  them  af- 
ter each  change  in  the  6j's.  Each  update  can  be  achieved  with  only  0{n) 
arithmetic  (i.e.  rational)  operations.  Hence  the  initial  Grajn-Schmidt  com- 
putation takes  O(n^)  time  and  the  sequence  of  updates  per  iteration  takes 
0{n'^)  time.  The  overall  complexity  of  the  algorithm  is  easily  seen  to  be  as 
claimed. 

Note  that  in  the  algorithm  we  perform  the  following  two  kinds  of  update 
operations: 


1. 


and 


6,+i  :=  6; 


i  +  l 


[m. 


+  i,;J 


fc; 


(6.-,fc.+i):=(fc.+i,6.) 


Let  6J  and  fi'^j  be  the  updated  values  of  6,  and  ^j,  respectively.  Then 
1.  In  case  of  the  first  kind  of  update: 


Hence 


iCil 


^^^  +  l.k       = 


=     ll^'+lll^      and 


2.  In  case  of  the  second  kind  of  update: 

K  =  ^-1-1)      K+i  =  ''•• 
Observe  that 


=  fii+i,k  -  [^i,+\,J]^lj,k■ 


\w:r\K^\ 


=     116*1 


it:+ii 


b''     =    6*^1 -|-/i,+i,,6*, 


tr+i     = 


\\bU2l 

\\b':\\' 


m\ 


■b'  -Mi  +  l,'jj^77|J2^'-H' 
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Hence 


ii^ri 

{bi,b'r)  _ ..     \\b'\\' 


ii''^;iii'  =  ^ii^'+iii' 


For  1  <  j  <  i 


/ 


{br+ub'^) 


^''     ~       (6-, 6*)    -^•+''^' 


/ 


For  i  +  1  <  j  <  n 


{b..b'^) 


''•■'^■^     -     (6-,6*)"'''^' 


Only  0(71^)  arithmetic  operations  are  required  to  make  the  appropriate 
modifications,  presented  in  the  above  set  of  equations. 

Remark  6.5  Note  that  our  presentation  of  the  LLL-Basis-Reduction  al- 
gorithm can  be  modified  so  that  all  the  intermediate  results  have  at  most 
0{nt{B))  bits.  Using  standard  algorithms  for  arithmetic  operations,  we  see 
that  the  algorithm  has  a  bit-complexity  of 

Tut{nA{B))=^0{nH{Bf). 

Furthermore,  if  we  use  fast-multiplication  algorithm,  then  for  any  e  >  0,  we 
can  achieve  a  bit-complexity  of 

However,  this  improvement  is  mostly  of  theoretical  interest,  since  for  almost 
all  practical  problems,  the  straight  forward  algorithm  is  good  enough. 
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7      Two-Dimensional  Lattices 

It  is  somewhat  instructive  to  look  at  LLL-BASIS-REDUCTION  algorithm 
carefully  for  the  special  case  of  two  dimensional  lattices.  The  algorithm  for 
the  special  case  is  as  follows 


Procedure  LLL-BASIS-REDUCTION; 

Input:  (6i,  62):  Basis  of  an  2-dimensional  lattice  A; 
Output:  {b[,  6^):  A  reduced  basis  of  A; 


begin 


loop 


62- 


(62.61) 


L(6i.6i)J 


61 


if||6i||'>3l|62|P    then       • 

(61,62):=  (62,61) 
else 

exit  loop 
end{if  } 
end{loop  ); 
end  {LLL-BASIS-REDUCTION}.      D 


(**) 


The  correctness  and  polynomial  time  complexity  of  the  above  algorithm 
foUows  from  the  general  results.  However  it  is  also  known  that  if  the  step, 
marked  (♦*)  is  replaced  by 


then  the  time  complexity  of  the  modified  algorithm  can  be  shown  to  be 
also  polynomial,  and  the  resulting  reduced  basis,  superior.  Notice  that  if 
the  algorithm  terminates  with  the  basis  (61,62)  then 


|cos(?!)(6i,62)|  = 


l|i'2||||6i|| 


<  Ijl^ll 


2II62 


< 


hence  the  bcLsis  vectors  form  an  acute  angle  of  60°  or  more.  For  this  reason 
this  modified  algorithm  is  known  as  the  "60°-algorithm."  This  algorithm 
is  usually  attributed  to  Gauss  [Gauss  1801]  and  has  a  close  similarity  to 
Euclid's  algorithm  for  GCD  of  two  numbers. 
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The  orthogonality  defect  of  the  basis  produced  by  the  60°  algorithm  is 

4 


^_ll^l||||^2||_  1  ^ 


detA         sin(j!»(6i,62) 

This  bound  is  optimally  achieved  by  a  lattice  of  an  equilateral  triangle  with 
a  vertex  at  the  origin.  Furthermore,  it  can  be  shown  that  if  (61,62)  is  a  baisis 
of  the  lattice  A  produced  by  the  60°  algorithm  (with  ||6i||  <  II62II)  then  6—1 
is  a  shortest  nonzero  vector  of  A. 

Gauss'  algorithm  originally  motivated  the  development  of  the  more  gen- 
eral polynomial  time  algorithm  for  higher  dimensional  lattices,  and  hence 
of  historical  importance.  It  is  not  known,  however,  if  the  factor  4/3  can  be 
replaced  by  1  in  the  more  general  LLL-BASIS-REDUCTION  algorithm  (as 
in  the  case  of  two-dimensional  lattices)  without  sacrificing  the  polynomial 
time  complexity  of  the  algorithm. 
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